couchloop-eq-mcp 1.0.0

package/dist/server/oauth/refreshTokenRotation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshTokenRotation.js","sourceRoot":"","sources":["../../../src/server/oauth/refreshTokenRotation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,GAAG,MAAM,cAAc,CAAC;AA+B/B;;GAEG;AACH,MAAM,CAAN,IAAY,aAKX;AALD,WAAY,aAAa;IACvB,gDAA+B,CAAA;IAC/B,8DAA6C,CAAA;IAC7C,wDAAuC,CAAA;IACvC,4DAA2C,CAAA;AAC7C,CAAC,EALW,aAAa,KAAb,aAAa,QAKxB;AAED;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IACtB,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IACtC,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,KAAK,CAAC,CAAC,CAAC,aAAa;IACjF,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,CAAC,CAAC,UAAU;IACpF,kBAAkB,GAAG,GAAG,CAAC,CAAC,4BAA4B;IACtD,sBAAsB,GAAG,IAAI,CAAC,CAAC,yBAAyB;IAEzE;;OAEG;IACH,KAAK,CAAC,iBAAiB,CACrB,MAAc,EACd,QAAgB,EAChB,QAAkC;QAElC,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACjD,MAAM,gBAAgB,GAAG,eAAe,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAEjE,MAAM,MAAM,GAAgB;YAC1B,QAAQ;YACR,gBAAgB,EAAE,gBAAgB;YAClC,mBAAmB,EAAE,EAAE;YACvB,MAAM;YACN,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,WAAW,EAAE,IAAI,IAAI,EAAE;YACvB,aAAa,EAAE,CAAC;YAChB,QAAQ;SACT,CAAC;QAEF,sCAAsC;QACtC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAEpD,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAErE,MAAM,CAAC,IAAI,CAAC,4BAA4B,QAAQ,aAAa,MAAM,EAAE,CAAC,CAAC;QAEvE,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,IAAI,CAAC,gBAAgB;YAChC,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CACtB,eAAuB,EACvB,QAAkC;QAElC,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAEhE,oBAAoB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,wCAAwC;QACxC,IAAI,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,mCAAmC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YACnE,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,oDAAoD;QACpD,IAAI,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,yCAAyC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxE,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,yCAAyC;QACzC,IAAI,IAAI,CAAC,wBAAwB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,mDAAmD,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAClF,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;QACzE,CAAC;QAED,sBAAsB;QACtB,MAAM,eAAe,GAAG,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACpD,MAAM,mBAAmB,GAAG,eAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACvE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEtF,sBAAsB;QACtB,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACzD,MAAM,CAAC,gBAAgB,GAAG,mBAAmB,CAAC;QAC9C,MAAM,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC;QAChC,MAAM,CAAC,aAAa,EAAE,CAAC;QAEvB,uDAAuD;QACvD,IAAI,MAAM,CAAC,mBAAmB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC3C,MAAM,CAAC,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,QAAQ,EAAE,CAAC;QACxD,CAAC;QAED,kBAAkB;QAClB,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;QAEvE,MAAM,CAAC,IAAI,CAAC,oCAAoC,MAAM,CAAC,QAAQ,eAAe,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC;QAEtG,OAAO;YACL,WAAW,EAAE,cAAc;YAC3B,YAAY,EAAE,eAAe;YAC7B,SAAS,EAAE,IAAI,CAAC,gBAAgB;YAChC,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,aAAa,CAAC,MAAmB,EAAE,SAAiB;QAChE,yBAAyB;QACzB,IAAI,SAAS,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;QACpE,IAAI,iBAAiB,GAAG,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACpD,MAAM,YAAY,GAAG,MAAM,CAAC,mBAAmB,CAAC,MAAM,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACvF,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;gBAC/B,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,OAAO,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACxD,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB,CAAC,MAAmB;QAChD,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QACxE,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,QAAgB;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEhD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;QACT,CAAC;QAED,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,uCAAuC;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;aACzB,GAAG,CAAC;YACH,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,gBAAgB,EAAE,gBAAgB;SACnC,CAAC;aACD,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC;QAElD,qBAAqB;QACrB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEpC,MAAM,CAAC,IAAI,CAAC,wBAAwB,QAAQ,aAAa,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC1E,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,mBAAmB,CAAC,MAAc;QACtC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QAEnB,oBAAoB;QACpB,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;aACzB,GAAG,CAAC;YACH,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,gBAAgB,EAAE,kBAAkB;SACrC,CAAC;aACD,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAEzC,qBAAqB;QACrB,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YAC9D,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC7B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,+BAA+B,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAAC,SAAiB;QAC7C,2BAA2B;QAC3B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS;gBACrC,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnD,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE;aAC7B,IAAI,CAAC,WAAW,CAAC;aACjB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,WAAW,CAAC,gBAAgB,EAAE,SAAS,CAAC,EAC3C,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAC9B,CACF;aACA,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mCAAmC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAExB,yBAAyB;QACzB,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,gBAAgB,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAgB;YAC1B,QAAQ,EAAE,KAAK,CAAC,aAAa;YAC7B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;YACxC,mBAAmB,EAAE,EAAE,EAAE,6CAA6C;YACtE,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,WAAW,EAAE,KAAK,CAAC,SAAS;YAC5B,aAAa,EAAE,CAAC;YAChB,QAAQ,EAAE;gBACR,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,SAAS;gBACvC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,SAAS;aACxC;SACF,CAAC;QAEF,kBAAkB;QAClB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEhD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,wBAAwB,CAC9B,MAAmB,EACnB,WAAqC;QAErC,6CAA6C;QAC7C,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;QACxE,IAAI,qBAAqB,GAAG,KAAK,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,IAAI,WAAW,EAAE,SAAS;YACtB,MAAM,CAAC,QAAQ,EAAE,SAAS;YAC1B,WAAW,CAAC,SAAS,KAAK,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,EAAE,QAAQ;YACrB,MAAM,CAAC,QAAQ,EAAE,QAAQ;YACzB,WAAW,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,oBAAoB;QAC1B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,mBAAmB,CAAC,MAAc,EAAE,QAAgB;QAChE,MAAM,OAAO,GAAG;YACd,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,QAAQ;YACpB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,gBAAgB;SAC3D,CAAC;QAEF,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,iCAAiC,CAAC;QAC3E,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAC9B,MAAmB,EACnB,YAAoB;QAEpB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;QAExE,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;aACzB,MAAM,CAAC;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,QAAQ;YAC9B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,qBAAqB,EAAE,cAAc,CAAC,SAAS;YAC/C,eAAe,EAAE,EAAE,EAAE,yBAAyB;YAC9C,oBAAoB,EAAE,EAAE,EAAE,yBAAyB;YACnD,KAAK,EAAE,SAAS;YAChB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC/D,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,SAAS;YACrC,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,SAAS;SACtC,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,MAAmB,EACnB,eAAuB,EACvB,eAAuB;QAEvB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QAC3E,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAEhE,4BAA4B;QAC5B,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;aACzB,GAAG,CAAC;YACH,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,gBAAgB,EAAE,SAAS;SAC5B,CAAC;aACD,KAAK,CAAC,EAAE,CAAC,WAAW,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC,CAAC;QAEzD,mBAAmB;QACnB,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,KAAoB,EACpB,MAAmB;QAEnB,MAAM,CAAC,IAAI,CAAC,mBAAmB,KAAK,eAAe,MAAM,CAAC,QAAQ,UAAU,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7F,2BAA2B;IAC7B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,MAAmB;QAClD,oCAAoC;QACpC,MAAM,CAAC,KAAK,CAAC,iDAAiD,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACjF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,sBAAsB;QAC1B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;QAEzE,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;aACzB,GAAG,CAAC;YACH,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,gBAAgB,EAAE,SAAS;SAC5B,CAAC;aACD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,EAC/B,EAAE,CAAC,WAAW,CAAC,SAAS,EAAE,WAAW,CAAC,CACvC,CACF,CAAC;QAEJ,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACpD,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,mBAAmB,EAAE,CAAC"}

package/dist/server/oauth/security.d.ts

@@ -0,0 +1,101 @@
+/**
+ * State data for CSRF protection
+ */
+export interface StateData {
+    clientId: string;
+    redirectUri: string;
+    nonce: string;
+    scope?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: 'S256' | 'plain';
+    createdAt: Date;
+    expiresAt: Date;
+    ipAddress?: string;
+    userAgent?: string;
+    fingerprint?: string;
+}
+/**
+ * OAuth Security Manager
+ * Handles CSRF protection, state management, and nonce generation
+ */
+export declare class OAuthSecurity {
+    private stateStore;
+    private usedNonces;
+    private readonly STATE_TTL;
+    private readonly NONCE_TTL;
+    /**
+     * Generate a secure state token with embedded data
+     * Uses JWT for tamper-proof state management
+     */
+    generateStateToken(data: Omit<StateData, 'createdAt' | 'expiresAt'>): Promise<string>;
+    /**
+     * Validate state token and extract data
+     * Prevents CSRF attacks by ensuring state matches
+     */
+    validateState(token: string): Promise<StateData | null>;
+    /**
+     * Generate cryptographically secure nonce
+     * Used for OpenID Connect flows
+     */
+    generateNonce(): string;
+    /**
+     * Validate nonce hasn't been used before
+     */
+    validateNonce(nonce: string): boolean;
+    /**
+     * Generate browser fingerprint for additional security
+     * Combines multiple browser characteristics
+     */
+    generateFingerprint(req: any): string;
+    /**
+     * Validate request fingerprint matches stored one
+     */
+    validateFingerprint(stored: string | undefined, current: string): boolean;
+    /**
+     * Clean up expired states to prevent memory leak
+     */
+    private cleanupExpiredStates;
+    /**
+     * Clean up old nonces to prevent memory leak
+     */
+    private cleanupOldNonces;
+    /**
+     * Validate redirect URI against whitelist
+     * Prevents open redirect vulnerabilities
+     */
+    validateRedirectUri(uri: string, clientId: string): boolean;
+    /**
+     * Get allowed redirect URIs for a client
+     * In production, this should query from database
+     */
+    private getAllowedRedirectUris;
+    /**
+     * Validate authorization request parameters
+     * Comprehensive validation for security
+     */
+    validateAuthorizationRequest(params: {
+        response_type: string;
+        client_id: string;
+        redirect_uri: string;
+        scope?: string;
+        state?: string;
+        code_challenge?: string;
+        code_challenge_method?: string;
+    }): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * Get statistics about stored states
+     */
+    getStats(): {
+        states: number;
+        nonces: number;
+    };
+    /**
+     * Clear all states and nonces (for testing)
+     */
+    clearAll(): void;
+}
+export declare const oauthSecurity: OAuthSecurity;
+//# sourceMappingURL=security.d.ts.map

package/dist/server/oauth/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/security.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACvC,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAgC;IAClD,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAkB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAkB;IAE5C;;;OAGG;IACG,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAkC3F;;;OAGG;IACG,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA2C7D;;;OAGG;IACH,aAAa,IAAI,MAAM;IAcvB;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAYrC;;;OAGG;IACH,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM;IAgBrC;;OAEG;IACH,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IAczE;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAgB5B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;;OAGG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IAa3D;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAM9B;;;OAGG;IACH,4BAA4B,CAAC,MAAM,EAAE;QACnC,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;KAChC,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IA4DtC;;OAEG;IACH,QAAQ,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAS9C;;OAEG;IACH,QAAQ,IAAI,IAAI;CAKjB;AAGD,eAAO,MAAM,aAAa,eAAsB,CAAC"}

package/dist/server/oauth/security.js

@@ -0,0 +1,268 @@
+import { randomBytes, createHash } from 'crypto';
+import { SignJWT, jwtVerify } from 'jose';
+import { logger } from '../../utils/logger.js';
+/**
+ * OAuth Security Manager
+ * Handles CSRF protection, state management, and nonce generation
+ */
+export class OAuthSecurity {
+    stateStore = new Map();
+    usedNonces = new Set();
+    STATE_TTL = 10 * 60 * 1000; // 10 minutes
+    NONCE_TTL = 60 * 60 * 1000; // 1 hour
+    /**
+     * Generate a secure state token with embedded data
+     * Uses JWT for tamper-proof state management
+     */
+    async generateStateToken(data) {
+        const stateId = randomBytes(16).toString('base64url');
+        const now = new Date();
+        const expiresAt = new Date(now.getTime() + this.STATE_TTL);
+        const stateData = {
+            ...data,
+            createdAt: now,
+            expiresAt,
+        };
+        // Store in memory for quick validation
+        this.stateStore.set(stateId, stateData);
+        // Create JWT with state data
+        const secret = new TextEncoder().encode(process.env.STATE_SECRET || 'dev-state-secret-change-in-production');
+        const jwt = await new SignJWT({
+            sid: stateId,
+            cid: data.clientId,
+            ruri: data.redirectUri,
+            nonce: data.nonce,
+            iat: Math.floor(now.getTime() / 1000),
+            exp: Math.floor(expiresAt.getTime() / 1000),
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setIssuedAt()
+            .setExpirationTime('10m')
+            .sign(secret);
+        logger.debug(`Generated state token for client ${data.clientId}`);
+        return jwt;
+    }
+    /**
+     * Validate state token and extract data
+     * Prevents CSRF attacks by ensuring state matches
+     */
+    async validateState(token) {
+        try {
+            const secret = new TextEncoder().encode(process.env.STATE_SECRET || 'dev-state-secret-change-in-production');
+            // Verify JWT signature and expiration
+            const { payload } = await jwtVerify(token, secret, {
+                algorithms: ['HS256'],
+            });
+            const stateId = payload.sid;
+            const stateData = this.stateStore.get(stateId);
+            if (!stateData) {
+                logger.warn(`State data not found for ID ${stateId}`);
+                return null;
+            }
+            // Check expiration
+            if (new Date() > stateData.expiresAt) {
+                logger.warn(`State token expired for ID ${stateId}`);
+                this.stateStore.delete(stateId);
+                return null;
+            }
+            // Validate data consistency
+            if (stateData.clientId !== payload.cid ||
+                stateData.redirectUri !== payload.ruri ||
+                stateData.nonce !== payload.nonce) {
+                logger.error('State data mismatch - possible tampering detected');
+                return null;
+            }
+            // Remove used state to prevent replay
+            this.stateStore.delete(stateId);
+            logger.info(`State validation successful for client ${stateData.clientId}`);
+            return stateData;
+        }
+        catch (error) {
+            logger.error('State validation failed:', error);
+            return null;
+        }
+    }
+    /**
+     * Generate cryptographically secure nonce
+     * Used for OpenID Connect flows
+     */
+    generateNonce() {
+        const nonce = randomBytes(16).toString('base64url');
+        const nonceHash = createHash('sha256').update(nonce).digest('hex');
+        // Store nonce hash to prevent replay
+        this.usedNonces.add(nonceHash);
+        // Clean old nonces periodically
+        this.cleanupOldNonces();
+        logger.debug('Generated new nonce');
+        return nonce;
+    }
+    /**
+     * Validate nonce hasn't been used before
+     */
+    validateNonce(nonce) {
+        const nonceHash = createHash('sha256').update(nonce).digest('hex');
+        if (this.usedNonces.has(nonceHash)) {
+            logger.warn('Nonce replay detected');
+            return false;
+        }
+        this.usedNonces.add(nonceHash);
+        return true;
+    }
+    /**
+     * Generate browser fingerprint for additional security
+     * Combines multiple browser characteristics
+     */
+    generateFingerprint(req) {
+        const components = [
+            req.headers['user-agent'] || '',
+            req.headers['accept-language'] || '',
+            req.headers['accept-encoding'] || '',
+            req.ip || req.connection.remoteAddress || '',
+        ];
+        const fingerprint = createHash('sha256')
+            .update(components.join('|'))
+            .digest('base64url');
+        logger.debug('Generated browser fingerprint');
+        return fingerprint;
+    }
+    /**
+     * Validate request fingerprint matches stored one
+     */
+    validateFingerprint(stored, current) {
+        if (!stored) {
+            return true; // No fingerprint stored, skip validation
+        }
+        const isValid = stored === current;
+        if (!isValid) {
+            logger.warn('Browser fingerprint mismatch - possible session hijacking');
+        }
+        return isValid;
+    }
+    /**
+     * Clean up expired states to prevent memory leak
+     */
+    cleanupExpiredStates() {
+        const now = new Date();
+        let cleaned = 0;
+        for (const [id, state] of this.stateStore.entries()) {
+            if (now > state.expiresAt) {
+                this.stateStore.delete(id);
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            logger.debug(`Cleaned up ${cleaned} expired states`);
+        }
+    }
+    /**
+     * Clean up old nonces to prevent memory leak
+     */
+    cleanupOldNonces() {
+        // Keep only last 1000 nonces
+        if (this.usedNonces.size > 1000) {
+            const toKeep = Array.from(this.usedNonces).slice(-500);
+            this.usedNonces.clear();
+            toKeep.forEach(nonce => this.usedNonces.add(nonce));
+            logger.debug('Cleaned up old nonces');
+        }
+    }
+    /**
+     * Validate redirect URI against whitelist
+     * Prevents open redirect vulnerabilities
+     */
+    validateRedirectUri(uri, clientId) {
+        const allowedUris = this.getAllowedRedirectUris(clientId);
+        // Exact match required (OAuth 2.1 requirement)
+        const isValid = allowedUris.includes(uri);
+        if (!isValid) {
+            logger.error(`Invalid redirect URI: ${uri} for client ${clientId}`);
+        }
+        return isValid;
+    }
+    /**
+     * Get allowed redirect URIs for a client
+     * In production, this should query from database
+     */
+    getAllowedRedirectUris(clientId) {
+        // TODO: Fetch from database based on clientId
+        const uris = process.env[`${clientId.toUpperCase()}_REDIRECT_URIS`];
+        return uris ? uris.split(',') : [];
+    }
+    /**
+     * Validate authorization request parameters
+     * Comprehensive validation for security
+     */
+    validateAuthorizationRequest(params) {
+        // Response type must be 'code' (OAuth 2.1 - no implicit flow)
+        if (params.response_type !== 'code') {
+            return {
+                valid: false,
+                error: 'Invalid response_type. Only "code" is supported'
+            };
+        }
+        // Client ID required
+        if (!params.client_id) {
+            return {
+                valid: false,
+                error: 'Missing client_id'
+            };
+        }
+        // Redirect URI required and must be valid
+        if (!params.redirect_uri) {
+            return {
+                valid: false,
+                error: 'Missing redirect_uri'
+            };
+        }
+        if (!this.validateRedirectUri(params.redirect_uri, params.client_id)) {
+            return {
+                valid: false,
+                error: 'Invalid redirect_uri'
+            };
+        }
+        // State parameter required (CSRF protection)
+        if (!params.state) {
+            return {
+                valid: false,
+                error: 'Missing state parameter'
+            };
+        }
+        // PKCE required for all clients (OAuth 2.1)
+        if (!params.code_challenge) {
+            return {
+                valid: false,
+                error: 'Missing code_challenge (PKCE required)'
+            };
+        }
+        // S256 method required (plain is deprecated)
+        if (params.code_challenge_method && params.code_challenge_method !== 'S256') {
+            return {
+                valid: false,
+                error: 'Invalid code_challenge_method. Only S256 is supported'
+            };
+        }
+        logger.info(`Authorization request validated for client ${params.client_id}`);
+        return { valid: true };
+    }
+    /**
+     * Get statistics about stored states
+     */
+    getStats() {
+        this.cleanupExpiredStates();
+        return {
+            states: this.stateStore.size,
+            nonces: this.usedNonces.size,
+        };
+    }
+    /**
+     * Clear all states and nonces (for testing)
+     */
+    clearAll() {
+        this.stateStore.clear();
+        this.usedNonces.clear();
+        logger.debug('Cleared all states and nonces');
+    }
+}
+// Export singleton instance
+export const oauthSecurity = new OAuthSecurity();
+//# sourceMappingURL=security.js.map

package/dist/server/oauth/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/server/oauth/security.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAmB/C;;;GAGG;AACH,MAAM,OAAO,aAAa;IAChB,UAAU,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC1C,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACtB,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;IACzC,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;IAEtD;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CAAC,IAAgD;QACvE,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAE3D,MAAM,SAAS,GAAc;YAC3B,GAAG,IAAI;YACP,SAAS,EAAE,GAAG;YACd,SAAS;SACV,CAAC;QAEF,uCAAuC;QACvC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAExC,6BAA6B;QAC7B,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,uCAAuC,CAAC,CAAC;QAE7G,MAAM,GAAG,GAAG,MAAM,IAAI,OAAO,CAAC;YAC5B,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,IAAI,CAAC,QAAQ;YAClB,IAAI,EAAE,IAAI,CAAC,WAAW;YACtB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;YACrC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;SAC5C,CAAC;aACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;aACpC,WAAW,EAAE;aACb,iBAAiB,CAAC,KAAK,CAAC;aACxB,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhB,MAAM,CAAC,KAAK,CAAC,oCAAoC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAClE,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,uCAAuC,CAAC,CAAC;YAE7G,sCAAsC;YACtC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;gBACjD,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAa,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAE/C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;gBACtD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mBAAmB;YACnB,IAAI,IAAI,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;gBACrC,MAAM,CAAC,IAAI,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;gBACrD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAChC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,4BAA4B;YAC5B,IAAI,SAAS,CAAC,QAAQ,KAAK,OAAO,CAAC,GAAG;gBAClC,SAAS,CAAC,WAAW,KAAK,OAAO,CAAC,IAAI;gBACtC,SAAS,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;gBACtC,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YAED,sCAAsC;YACtC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEhC,MAAM,CAAC,IAAI,CAAC,0CAA0C,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC5E,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;YAChD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEnE,qCAAqC;QACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE/B,gCAAgC;QAChC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,KAAa;QACzB,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEnE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,mBAAmB,CAAC,GAAQ;QAC1B,MAAM,UAAU,GAAG;YACjB,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE;YAC/B,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,IAAI,EAAE;YACpC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,IAAI,EAAE;YACpC,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,IAAI,EAAE;SAC7C,CAAC;QAEF,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC;aACrC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;aAC5B,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,MAAM,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC9C,OAAO,WAAW,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,MAA0B,EAAE,OAAe;QAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC,CAAC,yCAAyC;QACxD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,KAAK,OAAO,CAAC;QAEnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,oBAAoB;QAC1B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YACpD,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAC3B,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,cAAc,OAAO,iBAAiB,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,gBAAgB;QACtB,6BAA6B;QAC7B,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;YAChC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,mBAAmB,CAAC,GAAW,EAAE,QAAgB;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;QAE1D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAE1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,eAAe,QAAQ,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACK,sBAAsB,CAAC,QAAgB;QAC7C,8CAA8C;QAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACrC,CAAC;IAED;;;OAGG;IACH,4BAA4B,CAAC,MAQ5B;QACC,8DAA8D;QAC9D,IAAI,MAAM,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,iDAAiD;aACzD,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,mBAAmB;aAC3B,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,sBAAsB;aAC9B,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACrE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,sBAAsB;aAC9B,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,yBAAyB;aACjC,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC3B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,wCAAwC;aAChD,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,MAAM,CAAC,qBAAqB,IAAI,MAAM,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC5E,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,uDAAuD;aAC/D,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,8CAA8C,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QAC9E,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAE5B,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAC5B,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;SAC7B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAChD,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC"}

package/dist/server/oauth/tokenEncryption.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Encrypted token structure
+ */
+export interface EncryptedToken {
+    encrypted: string;
+    hash: string;
+}
+/**
+ * Token Encryption Manager
+ * Provides AES-256-GCM encryption for tokens at rest
+ */
+export declare class TokenEncryption {
+    private readonly algorithm;
+    private readonly saltLength;
+    private readonly tagLength;
+    private readonly ivLength;
+    private readonly keyLength;
+    /**
+     * Encrypt a token using AES-256-GCM
+     * Returns encrypted data and a hash for indexing
+     */
+    encryptToken(plaintext: string): Promise<EncryptedToken>;
+    /**
+     * Decrypt a token
+     */
+    decryptToken(encryptedData: string): Promise<string>;
+    /**
+     * Hash a token for indexing
+     * Uses SHA256 for consistent hashing
+     */
+    hashToken(token: string): string;
+    /**
+     * Verify a plaintext token matches a hash
+     */
+    verifyTokenHash(plaintext: string, hash: string): boolean;
+    /**
+     * Encrypt sensitive data (generic, not just tokens)
+     */
+    encrypt(text: string): Promise<string>;
+    /**
+     * Decrypt sensitive data (generic)
+     */
+    decrypt(encryptedData: string): Promise<string>;
+    /**
+     * Derive encryption key from password and salt
+     * Uses scrypt for key derivation
+     */
+    private deriveKey;
+    /**
+     * Get the master encryption key
+     * In production, this should come from a secure key management service
+     */
+    private getEncryptionKey;
+    /**
+     * Rotate encryption (re-encrypt with new salt/IV)
+     * Useful for key rotation scenarios
+     */
+    rotateEncryption(encryptedData: string): Promise<EncryptedToken>;
+    /**
+     * Batch encrypt multiple tokens
+     * More efficient than individual encryption
+     */
+    encryptBatch(tokens: string[]): Promise<EncryptedToken[]>;
+    /**
+     * Batch decrypt multiple tokens
+     */
+    decryptBatch(encryptedTokens: string[]): Promise<string[]>;
+    /**
+     * Generate a secure random token
+     * Useful for generating access/refresh tokens
+     */
+    generateSecureToken(length?: number): string;
+    /**
+     * Validate encryption key on startup
+     * Ensures the key meets security requirements
+     */
+    validateEncryptionSetup(): boolean;
+}
+export declare const tokenEncryption: TokenEncryption;
+//# sourceMappingURL=tokenEncryption.d.ts.map

package/dist/server/oauth/tokenEncryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenEncryption.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/tokenEncryption.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiB;IAC3C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAM;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAM;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAM;IAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAM;IAEhC;;;OAGG;IACG,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAyC9D;;OAEG;IACG,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA8C1D;;;OAGG;IACH,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAQhC;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO;IAkBzD;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK5C;;OAEG;IACG,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIrD;;;OAGG;YACW,SAAS;IAKvB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IAexB;;;OAGG;IACG,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAQtE;;;OAGG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAI/D;;OAEG;IACG,YAAY,CAAC,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAIhE;;;OAGG;IACH,mBAAmB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM;IAIhD;;;OAGG;IACH,uBAAuB,IAAI,OAAO;CA4BnC;AAGD,eAAO,MAAM,eAAe,iBAAwB,CAAC"}